From f99080061bcf6e1411191a23b0af188f6f001abf Mon Sep 17 00:00:00 2001 From: "byteray-cql-hub-bot[bot]" <261226166+byteray-cql-hub-bot[bot]@users.noreply.github.com> Date: Thu, 21 May 2026 11:26:34 +0000 Subject: [PATCH] =?UTF-8?q?Add=20query:=20OAuth2=20Token=20Burst=20?= =?UTF-8?q?=E2=80=94=20Token=20Harvesting=20(Microsoft=20Defender=20for=20?= =?UTF-8?q?Identity)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...esting_microsoft_defender_for_identity.yml | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 queries/oauth2_token_burst_token_harvesting_microsoft_defender_for_identity.yml diff --git a/queries/oauth2_token_burst_token_harvesting_microsoft_defender_for_identity.yml b/queries/oauth2_token_burst_token_harvesting_microsoft_defender_for_identity.yml new file mode 100644 index 0000000..83a30ea --- /dev/null +++ b/queries/oauth2_token_burst_token_harvesting_microsoft_defender_for_identity.yml @@ -0,0 +1,55 @@ +# --- Query Metadata --- +# Human-readable name for the query. Will be displayed as the title. +name: OAuth2 Token Burst — Token Harvesting (Microsoft Defender for Identity) + +# MITRE ATT&CK technique IDs +mitre_ids: + - T1528 + +# Description of what the query does and its purpose. +description: | + Detects a sudden surge in OAuth2 token requests or acquisitions within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate token harvesting activity, where an attacker attempts to obtain multiple access tokens to abuse authentication sessions and maintain unauthorized access. + +# The author or team that created the query. +author: Kundan Kumar + +# The required log sources to run this query successfully in Next-Gen SIEM. +log_sources: + - Identity + +# The CrowdStrike modules required to run this query. +cs_required_modules: + - Identity + +# Tags for filtering and categorization. +tags: + - Detection + +# --- Query Content --- +# The actual CrowdStrike Query Language (CQL) code. +# Using the YAML block scalar `|` allows for multi-line strings. +cql: | + #Vendor = "microsoft" + | #event.module = "defender-identity" + | Vendor.category = "AdvancedHunting-IdentityLogonEvents" + | Vendor.properties.LogonType = "OAuth2:Token" + | groupBy([user.name], function=[ + count(as=token_requests), + count(field=Vendor.properties.DestinationDeviceName, distinct=true, as=unique_destinations), + collect(fields=[Vendor.properties.DestinationDeviceName,"Vendor.properties.AdditionalFields.ARG.CLOUD_SERVICE",Vendor.properties.Application,source.address]), + min(@timestamp, as=start_time), + max(@timestamp, as=end_time) + ]) + | token_requests >= 10 + | time_diff_min := (end_time - start_time) / 60000 + | time_diff_min <= 10 + | start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone="UTC") + | end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone="UTC") + | drop([start_time, end_time]) + | sort([token_requests], order=desc) + +# Explanation of the query. +# Using the YAML block scalar `|` allows for multi-line strings. +# Uses markdown for formatting on the webpage. +explanation: | + Detects a sudden surge in OAuth2 token requests or acquisitions within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate token harvesting activity, where an attacker attempts to obtain multiple access tokens to abuse authentication sessions and maintain unauthorized access.